Cybercriminals are currently spamvertising tens of thousands of fake emails, impersonating Intuit, in an attempt to trick its customers and users into clicking on the malicious links found in the emails.

Once users click on any of the links, they’re exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit, which ultimately drops malware on the affected hosts.

Once executed, the sample creates the following process on the affected hosts:

%AppData%KB00121600.exe

The following Registry Keys:

HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCFBDC89D4

HKEY_CURRENT_USERSoftwareMicrosoftWindows NTS25BC2D7B

As well as the following Mutexes:

LocalXMM00000508

LocalXMI00000508

LocalXMRFB119394

LocalXMM0000009C

LocalXMI0000009C

LocalXMM000000D8

LocalXMI000000D8

LocalXMM00000388

LocalXMI00000388

Upon execution, the sample phones back to the following C&C servers:

hxxp://188.165.33.54:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/

hxxp://174.142.68.239:8080/AJtw/UCyqrDAA/Ud+asDAA/

Not surprisingly, we’ve already seen the same pseudo-random C&C communication characters used in previously profiled posts at Webroot’s Threat Blog, indicating that these campaigns have been launched by the same malicious parties.